fix: preserve registry addon root CA on move (#1155)

**What problem does this PR solve?**:
In the initial
[PR](#1127)
I misunderstood how clusterctl move handles Secrets.

It only moves the Secrets in infra provider namespace and not the CAREN
namespace
https://cluster-api.sigs.k8s.io/developer/providers/contracts/clusterctl#move.
This results in the root CA being recreated and the management cluster
ends up using a different CA for the registry addon as compared to the
workload clusters.

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->
- Tested manually to verify that I can still push images.
- Added unit, integration and e2e tests.

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: dkoshkin

charts/cluster-api-runtime-extensions-nutanix/templates/certificates.yaml

@@ -32,20 +32,3 @@ spec:
     kind: {{ .Values.certificates.issuer.kind }}
     name: {{ template "chart.issuerName" . }}
   secretName: {{ template "chart.name" . }}-admission-tls
----
-# CA used to sign certificates for the clusters' registry addons
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: registry-addon-root-ca
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "chart.labels" . | nindent 4 }}
-spec:
-  isCA: true
-  commonName: registry-addon
-  secretName: registry-addon-root-ca
-  issuerRef:
-    kind: {{ .Values.certificates.issuer.kind }}
-    name: {{ template "chart.issuerName" . }}
-  duration: 87600h  # 10 years

common/go.mod

@@ -20,6 +20,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.32.6
 	k8s.io/apimachinery v0.32.6
 	k8s.io/apiserver v0.32.6
+	k8s.io/client-go v0.32.6
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
 	sigs.k8s.io/cluster-api v1.10.3
 	sigs.k8s.io/cluster-api/test v1.10.3
@@ -86,7 +87,6 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/client-go v0.32.6 // indirect
 	k8s.io/cluster-bootstrap v0.32.3 // indirect
 	k8s.io/component-base v0.32.6 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect

common/pkg/capi/utils/utils.go

@@ -15,38 +15,110 @@ import (
 )
 
 // ManagementCluster returns a Cluster object if c is pointing to a management cluster, otherwise returns nil.
-func ManagementCluster(ctx context.Context, c client.Client) (*clusterv1.Cluster, error) {
-	allNodes := &corev1.NodeList{}
-	err := c.List(ctx, allNodes)
+func ManagementCluster(ctx context.Context, c client.Reader) (*clusterv1.Cluster, error) {
+	clusterName, clusterNamespace, err := clusterAnnotationsFromNodes(ctx, c)
 	if err != nil {
-		return nil, fmt.Errorf("error listing Nodes: %w", err)
-	}
-	if len(allNodes.Items) == 0 {
-		return nil, nil
+		return nil, fmt.Errorf("error getting cluster annotations from Nodes: %w", err)
 	}
-	annotations := allNodes.Items[0].Annotations
-	clusterName := annotations[clusterv1.ClusterNameAnnotation]
-	clusterNamespace := annotations[clusterv1.ClusterNamespaceAnnotation]
+
 	if clusterName == "" && clusterNamespace == "" {
 		return nil, nil
 	}
 
+	cluster, err := managementClusterFromNodeAnnotations(ctx, c, clusterName, clusterNamespace)
+	if err != nil {
+		if k8serrors.IsNotFound(err) || meta.IsNoMatchError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return cluster, nil
+}
+
+// ManagementOrFutureManagementCluster returns a Cluster object to either the management cluster,
+// when c is a client to the management cluster.
+// Or a cluster that is assumed to become the management cluster in the future,
+// when is c is a client to a bootstrap cluster and there is only a single Cluster object.
+func ManagementOrFutureManagementCluster(ctx context.Context, c client.Reader) (*clusterv1.Cluster, error) {
+	clusterName, clusterNamespace, err := clusterAnnotationsFromNodes(ctx, c)
+	if err != nil {
+		return nil, fmt.Errorf("error getting cluster annotations from Nodes: %w", err)
+	}
+
+	var cluster *clusterv1.Cluster
+	switch {
+	case clusterName != "" && clusterNamespace != "":
+		cluster, err = managementClusterFromNodeAnnotations(ctx, c, clusterName, clusterNamespace)
+	case clusterName == "" && clusterNamespace == "":
+		cluster, err = managementClusterFromBootstrapClient(ctx, c)
+	case clusterName == "":
+		err = fmt.Errorf("missing %q annotation", clusterv1.ClusterNameAnnotation)
+	case clusterNamespace == "":
+		err = fmt.Errorf("missing %q annotation", clusterv1.ClusterNamespaceAnnotation)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error determining management cluster for the provided client: %w", err)
+	}
+
+	return cluster, nil
+}
+
+func clusterAnnotationsFromNodes(ctx context.Context, c client.Reader) (string, string, error) {
+	allNodes := &corev1.NodeList{}
+	err := c.List(ctx, allNodes)
+	if err != nil {
+		return "", "", fmt.Errorf("error listing Nodes: %w", err)
+	}
+
+	// Get node annotations that should exist in the management cluster.
+	annotations := make(map[string]string)
+	if len(allNodes.Items) > 0 {
+		annotations = allNodes.Items[0].Annotations
+	}
+	return annotations[clusterv1.ClusterNameAnnotation], annotations[clusterv1.ClusterNamespaceAnnotation], nil
+}
+
+func managementClusterFromNodeAnnotations(
+	ctx context.Context,
+	c client.Reader,
+	clusterName, clusterNamespace string,
+) (*clusterv1.Cluster, error) {
 	cluster := &clusterv1.Cluster{}
 	key := client.ObjectKey{
 		Name:      clusterName,
 		Namespace: clusterNamespace,
 	}
-	err = c.Get(ctx, key, cluster)
+	err := c.Get(ctx, key, cluster)
 	if err != nil {
-		if k8serrors.IsNotFound(err) || meta.IsNoMatchError(err) {
-			return nil, nil
-		}
 		return nil, fmt.Errorf("error getting Cluster object based on Node annotations: %w", err)
 	}
 
 	return cluster, nil
 }
 
+// managementClusterFromBootstrapClient returns a Cluster object that is assumed to become the management cluster.
+// Returns an error if there is not exactly one Cluster object in the cluster.
+func managementClusterFromBootstrapClient(
+	ctx context.Context,
+	c client.Reader,
+) (*clusterv1.Cluster, error) {
+	clusters := &clusterv1.ClusterList{}
+	err := c.List(ctx, clusters)
+	if err != nil {
+		return nil, fmt.Errorf("error listing Clusters: %w", err)
+	}
+
+	switch {
+	case len(clusters.Items) == 0:
+		return nil, fmt.Errorf("no Cluster objects found")
+	case len(clusters.Items) > 1:
+		return nil, fmt.Errorf("multiple Cluster objects found, expected exactly one")
+	default:
+		return &clusters.Items[0], nil
+	}
+}
+
 func GetProvider(cluster *clusterv1.Cluster) string {
 	if cluster == nil {
 		return ""